New Data Finds Women Still Only 10% Of Security Workforce

But more women hold governance, risk and compliance (GRC) roles than men, new (ISC)2 report finds.

The needle has not moved: new data released today by (ISC)2 and Booz Allen Hamilton shows that the percentage of women in cybersecurity worldwide has remained static over the past two years, holding at an anemic 10%.

That finding from the new "Women in Security: Wisely Positioned for Future of InfoSec" report, reflects a long-perplexing issue for an industry that's scraping for talent to fill massive numbers of job vacancies every day. But the new findings don't technically mean that fewer women are joining the industry overall, according to the report, which was conducted by Frost & Sullivan on behalf of ISC(2) and Booz Allen: in fact, the overall number of women joining the industry is on the rise. Their numbers just aren't keeping pace with the overall security workforce.

Women now dominate the governance, risk and compliance (GRC) sector of security, however: the report found that one in five women in security hold a GRC position, while just one in eight men do. According to the report, women were ahead of men in taking GRC jobs, and the skillsets of collaborating with multiple groups and balancing business and risk issues are skills women are likely to have, according to a focus group of women infosec leaders in the report.

Gurdeep Kaur, a member of (ISC)2, says the GRC sector holds a solid career path for women with a combination of technical and business skills. "If I have the right balance of technical skills and business acumen, I may be in position to provide an advisory role, and gain confidence and move up [in a role] of the security ladder," she says.

Even as a minority demographic in the industry, women now hold higher advanced degrees in the field than men do, the study found. Of women in senior positions, 58% hold a Master's Degree or a Doctorate, whereas 47% of males in leadership positions do.

But the overall low representation of women in the industry remains problematic.

"We're not getting closer to general parity," says Julie Franz, (ISC)2 Foundation director. "If you [achieved] gender parity, it would wipe out the workforce gap."

Franz says one issue affecting the number of women is a language gap in how the industry describes the jobs and roles in security. It tends to lean toward the technical and abstract, rather than emphasize the real-world impact. "We talk too much about jobs being about things and technology … Women want to know they are securing the people who use the things."

Women's salaries still lag those of men in the industry. The (ISC)2 compared salaries of men and women in the GRC space specifically, and found that women make 4.7% less than men, with an average salary of $115,779. Their male counterparts make $121,513.

Three factors appear to contribute to the higher male GRC salaries, according to the report: men stay in the industry longer than women, on average 15.2 years versus 14.5 years for women; more women have security analyst job titles than men, a job that pays about $95,000; and men rate monetary compensation higher than women do statistically. Around 58% of women in GRC rate monetary compensation as a top incentive, while around 62% of men do. Women rate work schedule and location flexibility higher than men do.

Franz says the data shows that women are less likely to change jobs than men, and that also accounts for the lower salary since job changes typically come with higher pay.

[What not to ask a woman in the security field, where men make up 90% of the workforce: What's it like to be a woman in the security field? Read How To Empower Women In Security.]

Interestingly, the average starting age for both male and female infosec pros is 30 years old. There's a gap overall in attracting or hiring young talent.

The bottom line is that entry-level security jobs are few and far between. "The requirement for experience for most [jobs] is higher than one would normally require for any entry-level position," (ISC)2's Franz says. "The need is so acute in cyber that it the requirement for someone to hit the ground running is much higher."

Angela Messer, executive vice president at Booz Allen, says companies need to be more proactive in their training and recruiting. "The kind of skillsets we're seeing today have definitely evolved. They are not the same ones we needed five years ago," Messer says. "You have to be more proactive in taking nontraditional skillsets and repurposing and training them into these fields."

Frost & Sullivan surveyed some 14,000 security pros from around the globe for the report.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

The question is...is it social fabric or interest? Are women being detracted from these positions because of they way they deem they will be seen(societal views) or do the majority not have an interest and would prefer to pursue other fields? My thoughts are the latter.

I would hope that no one is steered away from a field due to a reason such as gender, race, ethinicity, etc.

It is a case by case basis, not an appeal to the masses campaign as everyone has different interests. As I said before I think that trying to close the disparity is not the right idea. What happens if you were to reach the goal of closing the gap or even eclipse the gap...do you then reverse your track and deter those you helped to close the reverse disparity. Its a never ending cycle.

Like I said before, if you are not prohibited from a field and are treated with respect it is not an issue.

Agree. 50/50 is not achievable. There will always be some people do not like certain types of roles. This should happen in a natural way, 50/50 sounds like we somehow arranged it which is not practice. :--))

This is mentioning that it is a problem that there are not more women in the Security field. But from what I have seen working in a few SOCs in the public and Private sectors for many years is that they hire the PERSON who can answer the technical interview questions the best. I do not see any bias towards any race nor sex, simply "can this person perform the job duties?"

Most women have no interest in this type of work. The only way it will increase is if somehow women take more of an interest in the field. Half of the women I know who have been in the field have left for other positions they are more comfortable with. Several I have seen have done well in the field but wanted a more social type of a job and moved into positions such as account managers. For the ones that moved into positions like that they had some great experience with some technical background and did very well with that background in their new positions. The other half of the women were really into learning more and more about Network Security and have done very well in the field and I have seen no restrictions ever put on women that are not on men as well.

I believe, from my expereince, the only problem is that most women are just not interested in the field and nothing more than that. If a female wants to get into the field there is nothing stopping them that would not also stop a male (of course there are some jerks who are sexists, but there are always exceptions and those often end up in the news nowadays).

I agree: no field of endeavor has ever been equally represented by gender, race or religion in accord with population percentages. It is absurd to try to change what will be changed and need not be changed.

Should the NBA recurit more white men?

Should women demand parity in the garbage collection workforce?

Should more non-jews hold leadership positions in the film and finance industries?

There is a global disparity in all industries. InfoSec, Nursing, Teaching, Finance, etc. It will never be 50/50. I still don't understand the need for 50/50 when it comes to representation of gender in the job market. I am not offended in any which way that women are more heavily represented in governance. This needs to be looked at more on a statistical basis rather than metrics that require change/action items. We need to look at this more holistically. Male or female, everyone is a person and as long as you are treated with respect and not prohibited from achieving your goals I do not see an issue.

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.